SAML noob here. As per the guide here: Understanding SAML | Okta Developer, an SP would need to store the public certificate to validate the signature. Would this certificate change for each customer in Okta or would we only ever have one public certificate for Okta as an IDP.
Okta uses unique signing credentials per-tenant. You can’t trust a single certificate for all Okta customers. This is pretty common configuration for multi-tenant IdPs like Okta.